Fidelis Cybersecurity

What is Network Detection and Response?

Defining Network Detection and Response

Gartner defines Network Detection and Response (NDR) as the following: Network Detection and Response uses a combination of machine learning, advanced analytics and rule-based detection to detect suspicious activities on enterprise networks.

NDR tools continuously analyze raw traffic and/or flow records (for example, NetFlow) to build models that reflect normal network behavior. When the NDR tools detect abnormal traffic patterns, they raise alerts. In addition to monitoring north/south traffic that crosses the enterprise perimeter, NDR solutions can also monitor east/west communications by analyzing network traffic or flow records that it receives from strategically placed network sensors.

Why is Network Detection and Response Important?

Advanced attacks are designed to evade traditional preventative and detection techniques. Network Detection and Response solutions provide a sound method for identifying threats traversing through the network as well as through cloud traffic. One key attribute of Network Detection and Response solutions is the coverage across all ports and protocols to ensure full visibility.

There are a multitude of detection techniques that Network Detection and Response solutions leverage, including supervised and unsupervised machine-learning techniques, deep packet and deep session inspection, malware detection, sandboxing, asset inventory, and more.

Beyond detection, organizations also use NDR solutions to help investigate and mitigate an incident. To this end, Network Detection and Response tools that are integrated with endpoint detection and response solutions can offer substantial improvements in speeding alert investigation and resolution. A good example of this is automatically validating that a detected threat via network traffic has in fact compromised an endpoint or multiple endpoints in the environment, and then having the ability to automatically take an action, such as isolating that impacted endpoints from the network.

Network Detection and Response solutions can also collect and store rich metadata that can be easily searched for deeper investigation and hunting efforts. The value of the metadata is that it is easy to query, facilitates faster investigations and is much more cost-effective than storing full PCAPs.

Examples of metadata that can be collected are the:

WHO
domain user, webmail user, FTP user, email address, device ID, organization name

WHAT
filenames, SHA256, MD5, content tags, malware name, malware type

WHEN
from present day/time to as far back as you want to store data

WHERE
source, destination, country, IP address, organization, url, domain

HOW
protocols, applications, file type, user agent, custom protocols, obfuscated files and scripts

What are the Key Aspects of a NDR Solution?

A robust Network Detection and Response solution should:

  • Provide visibility across all ports and all protocols
  • Bi-directionally scan all network traffic to reveal network and application protocols, files, and content via sensors that can be placed at the gateway, internally, in the cloud, and at both the email and web gateways
  • Conduct real-time analysis of raw network packet traffic or traffic flows
  • Monitor and analyze north/south traffic and as east/west traffic
  • Differentiate between normal and anomalous network and cloud traffic
  • Leverage machine learning and analytics to detect network traffic anomalies
  • Provide rich metadata that enables retrospective detection and analysis going back many months
  • Profile TLS encrypted traffic based on metadata and certificates, determining human browsing versus machine traffic, and leveraging data science models to detect hidden threats
  • Consolidate “Like” alerts and the related context and evidence to speed alert triage
  • Help automate relevant response actions based on what has been detected

Eliminate Blind Spots with Network Detection and Response

Podcast

Tune in with our CCSO,
Craig Harber, about
role of response in NDR.

WATCH NOW

White Paper

Overcome Detection Gaps
of Deep Packet Inspection
tools in this white paper.

READ NOW

Fidelis Network®

Protect threats and
prevent data loss
with Fidelis Network.

LEARN MORE

Speak to Our Experts

Schedule a Demo
Return to the Education Center
squares

Get Started

See Fidelis Cybersecurity platforms in action. Learn how our fast, scalable Fidelis Elevate and Fidelis CloudPassage Halo platforms provide deep insights into the SOC to help security teams worldwide protect, detect, respond, and neutralize even the most advanced cyber adversaries.